Back to Ransomware Reports
Download Report
Table of Contents
Example H2
Download Report
Download Report

Threat Intel Report: Warlock Professional Development, China Ties, and the Multiple Variants it Planned from the Start

Halcyon assesses Warlock ransomware group likely has some ties to Chinese nation-state actors. This assessment is based on the group's early access to a Chinese zero-day campaign and new malware samples and technical analysis, which highlight professional-grade development most consistent with nation states or advanced criminal groups.

Given this group's likely ties, we expect future Chinese espionage operations could similarly end in ransomware attacks.

Steps You Can Take Today

  • Detect: Watch for malicious Microsoft Installer (MSI) packages, Dynamic-Link Library (DLL) sideloading (clink_x86.exe, 7z.exe), and antivirus (AV) termination attempts.
  • Mitigate: Patch exposed apps (esp. SharePoint), restrict MSI execution, harden backups, deploy advanced ransomware agent protection (like Halcyon).
  • Respond: Isolate impacted systems, preserve artifacts (MSI packages, PDB paths, ransom notes), involve compliance and legal teams, report to trusted threat intelligence partners and government partners.

Warlock: A Disciplined and Deliberate Ransomware Group

Warlock emerged publicly in June 2025, though its infrastructure and malware development began in March. The group gained notoriety in July 2025 for conducting ransomware attacks against already-compromised victims of China's ToolShell zero-day campaign exploiting on-premises SharePoint servers. Warlock enjoys the distinction of registering as the final LockBit affiliate under the username wlteaml before LockBit's data leak in May 2025. It has since leveraged LockBit both as an operational tool and a development foundation.

Warlock = Storm-2603 = CL-CRI-1040

Our technical analysis shows that Warlock, Storm-2603, and CL-CRI-1040 are the same group, linked by infrastructure, contact IDs, development paths, and overlapping tactics.

  • All three groups used the same Tox ID and email addresses in ransomware notes. The username for this Tox ID is the same used to register as a LockBit affiliate.
  • All three groups used the same misspelled domain for command and control.
  • Warlock ransomware and the AK47 ransomware developed by CL-CRI-1040 originated from the same development environment.
  • All three groups have used the same two families (Warlock/AK47/X2ANYLOCK and LockBit 3.0) in attacks.
  • Timeline alignment between development activities and public emergence.

Likely Connections to Chinese Nation-State Actors

Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews. The strongest indicators pointing to Chinese nation-state ties include:

Early Access to Zero-Days (ToolShell)
  • Warlock exploited the ToolShell zero-day in on-premises SharePoint servers before public disclosure. The only other groups exploiting the vulnerability before Warlock were Chinese nation-state actors tracked by Microsoft as Linen Typhoon and Violet Typhoon.
  • Pre-disclosure access to zero-days is extremely rare for opportunistic affiliates, but common for nation-state aligned actors with privileged access.
Multi-Builder Strategy
  • From the very first builds, Warlock coordinated dual-family testing of LockBit 3.0 (also known as Lockbit Black) and Warlock. This shows pre-planned use of multiple ransomware families to complicate attribution and frustrate defenses.
  • This kind of parallel, professional planning is unusual among ransomware affiliates, who typically stick to a single framework.
Rapid, Disciplined Development Cycles
  • Warlock demonstrated 48-hour iteration cycles and structure progression between major feature additions. Its builds had precise, minute-level compile timestamps, reflecting structured team workflows.
  • This resembles professional, tiered software development lifecycles, not the ad hoc development more common among new ransomware groups.
Professional Development Environment
  • The group's use of a centralized, organized project structure indicates a team with dedicated infrastructure and tooling, suggesting more institutional backing.
Deliberate Operational Security (OPSEC) Practices
  • Systematic OPSEC measures like stripped timestamps, falsified payload backdating, and intentionally corrupted expiration mechanisms for testing indicate sophistication and long-term planning.
  • This contrasts with affiliates who usually deploy ransomware "as-is" from leaked or purchased kits.
Cohesive Command and Control
  • Consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments suggests cohesive command and control operations, not opportunistic infrastructure reuse.
Development Timestamps Consistent with China
  • Warlock compiled ransomware payloads at 22:58-22:59 China Standard Time and packaged them into a malicious installer at 01:55 the next morning.
  • Evening compilation followed by early morning packaging reflects a realistic testing and packaging workflow that aligns with late-night operational schedules common to Chinese cybercriminal or state-aligned proxies.
Blending Criminal & Nation-State Tradecraft
  • Warlock operated as a LockBit affiliate but also leveraged its own frameworks.
  • This hybrid model (affiliate participation + bespoke toolchain + zero-day exploitation) is consistent with state-aligned contractors or proxies, not freelance affiliates.

Technical Analysis: Warlock's Multi-Builder Strategy

Warlock operates a sophisticated multi-builder ransomware operation using Warlock, LockBit 3.0, and Babuk ransomware families. The primary custom encryptor is Warlock ransomware. Halcyon confirmed through build paths and file extensions that the group internally refers to the ransomware as Warlock but publicly refers to it as AK47 / X2ANYLOCK.

1. Warlock / AK47 / X2ANYLOCK
  • Uses .x2anylock extension
  • Ransom notes: How to decrypt my data.txt/log
  • Derived from LockBit 3.0 builder with AES + RSA encryption
2. LockBit 3.0 (Leaked Builder)
  • Maintains standard LockBit extensions
  • Shares identical contact infrastructure with Warlock
  • Deployed alongside Warlock using DLL sideloading
3. Babuk Variant
  • Uses .babyk extension
  • Compiled with falsified March 2021 timestamps to complicate attribution

Development Timeline

Warlock quickly and professionally developed ransomware and tactics for deploying multiple variants over a two-month period. The group's rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks.

March 2025

Infrastructure established; AK47 C2 framework initiated.

April 2025

LockBit-only deployment (April 15) to dual LockBit/Warlock deployment within 48 hours (April 17). Registration as LockBit affiliate followed.

May 2025

Continued variant testing; LockBit leak exposes Warlock username wlteaml.

June 2025

Public launch of "Warlock" brand; transition to Ransomware-as-a-Service.

July 2025

Adds Babuk; mass exploitation of ToolShell vulnerabilities targeting SharePoint servers.

September 2025

Ongoing campaigns against global victims.

Malware Discoveries

Halcyon's original malware analysis uncovered new details, painting a clearer picture of Warlock's professional and systematic approach.

Dual-Family Testing from the Start

Halcyon discovered a 7 April 2025 Warlock prototype and an 11 April LockBit 3.0 sample shared an identical decrypt ID (41d6a055-bded-42f0-9e80-0774e2276b4b). This overlap demonstrates that Warlock's strategy of deploying multiple ransomware families was intentional from the beginning rather than a later adaptation.

Methodical Development Timeline

Warlock's malware progression revealed methodical, professional development practices with incremental feature implementation:

  • April 7: Created first AK47 prototype; contained no encryption code, demonstrating Warlock's methodical approach to incremental development by first implementing contact mechanisms and ransom note deployment.
  • April 11: Coordinated testing of both LockBit 3.0 and Warlock encryptors.
  • April 13: Created experimental encryption version for testing.
  • April 15–17: Production of malicious installer (MSI) packages, including a rapid shift from LockBit 3.0-only deployment to dual LockBit 3.0/Warlock within 48 hours.

Expansion to a Third Ransomware Family

On 21 July 2025, Warlock deployed Babuk ransomware, reusing the same infrastructure but applying falsified compile timestamps from 2021 to obscure attribution. This extended Warlock's arsenal to three ransomware families under one coordinated command.

Professional MSI Engineering

Halcyon's analysis of MSI installers revealed professional development practices. The 15 April package included timestamp stripping and DLL sideloading for LockBit 3.0. By 17 April, Warlock had progressed to a combined multi-ransomware package with precise compile-time coordination, demonstrating 48-hour development cycles.

  • LockBit 3.0-only malicious installer bbb.msi used clink_x86.exe as a legitimate application to sideload the malicious clink_dll_x86.dll, whose timestamp was stripped likely for operational security.
  • The dual Warlock and LockBit malicious installer (MSI) package used Mpclient.dll (timestamp 17.04.2025 14:58:28 UTC) and 7z.dll (timestamp 17.04.2025 14:59:46 UTC) for Warlock and clink_dll_x86.dll for LockBit 3.0.

PDB Path Analysis: The multi-ransomware malicious installer (MSI) package indicated a professional project structure within an organized AK47 framework, specialized DLL hijacking components, and production-ready x64 Release builds.

Mpclient.dll: C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\encrypt-dll\encrypt\x64\Release\encrypt.pdb 7z.dll: C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\7zdllhijacked\7zdllhijacked\x64\Release\My7zdllhijacked.pdb

Expiration Date Mechanisms

Across multiple samples, Halcyon identified intentionally corrupted expiration mechanisms, such as malformed date structures, clearly used for testing purposes. Even after production versions were released, these experimental builds continued in parallel development, indicating structured R&D processes.

  • AK47 / X2ANYLOCK implemented expiration date mechanisms that terminated execution if monitored files show modification dates beyond specific thresholds.
  • Early implementations used a June 2026 expiration date with monitoring of specific Windows system objects. Later implementations extended the expiration to September 2026, with expanded monitoring of seven specific files and directories.
C:\Windows\System32\PerfStringBackup.ini C:\Windows\bootstat.dat
C:\Windows\WindowsUpdate.log C:\Windows\Temp\
C:\Windows\System32\perfc009.dat C:\Windows\System32\perfh009.dat
C:\Users\<profilename>\AppData\Local\Temp

Values like *(_DWORD *)&SystemTime.wYear = 395242 appear consistently across development versions, with a sample from May showing continued use of the same corruption technique even after production deployments, suggesting ongoing parallel development of experimental and production versions.

Detection, Mitigation & Incident Response

Detection

Organizations should monitor for indicators of Warlock activity across multiple stages of the attack chain:

  • Suspicious MSI package execution, particularly files that sideload DLLs through binaries such as clink_x86.exe, 7z.exe, or MpCmdRun.exe [M1038].
  • The presence of known Warlock-associated file extensions (.x2anylock, .babyk) and ransom notes titled How to decrypt my data.txt or .log [M1040].
  • Abnormal process behaviors such as antivirus service termination, 25-second staged execution delays, and group policy modification events [M1047].
  • Network connections to known Warlock infrastructure, including update.updatemicfosoft[.]com [M1031].
  • Consistent Tox ID or email infrastructure re-use (ziqbwnscvbsj@proton[.]me, asdcspocnsdke@proton[.]me; tfefwapyasd3@proton[.]me) [M1031].
  • Deploy a dedicated anti-ransomware solution like Halcyon to block malicious binaries pre-execution, detect runtime behavior, prevent tampering, stop data exfiltration, and harden backup integrity [M1038; M1040; M1031; M1053].

Mitigation

Mitigation strategies should address both initial access and lateral movement:

  • Apply patches to internet-facing applications such as SharePoint to prevent exploitation of known vulnerabilities like ToolShell [M1051].
  • Enforce application control and restrict MSI execution from untrusted paths [M1038].
  • Implement hardened backup and recovery strategies, ensuring offline copies are resilient against deletion attempts [M1053].
  • Deploy endpoint protection capable of detecting DLL sideloading and timestamp manipulation techniques [M1040].
  • Monitor for anomalous date structures and corrupted expiration mechanisms unique to Warlock's experimental builds [M1040].

Incident Response

In the event of confirmed Warlock ransomware activity, incident response teams should:

  • Immediately isolate affected endpoints and networks to contain encryption spread across Windows, ESXi, or Linux environments [M1030].
  • Collect and preserve evidence including MSI files, PDB paths, and ransom notes to validate attribution to Warlock/Storm-2603 [M1047].
  • Engage legal and compliance teams early to evaluate disclosure requirements and coordinate with regulators [M1018].
  • Report incidents to trusted threat intelligence partners and government CERTs to assist with broader disruption of Warlock's infrastructure [M1031].

Looking Forward

Warlock's professional development, use of multiple ransomware families, purposeful OPSEC, and early access to zero-day vulnerabilities used by China underscore its probable ties to Chinese nation-state actors. These characteristics position Warlock as a disciplined and durable threat actor, operating with resources and structure uncommon among typical ransomware crews.

The proximity of the group's operations to Beijing's larger ToolShell campaign highlights the potential for future Chinese espionage operations to similarly end in ransomware attacks.

References

Additional Sources

  1. Check Point Research: "Before ToolShell: Exploring Storm-2603's Previous Ransomware Operations" - Link
  2. Unit 42 Palo Alto Networks: "Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks" - Link
  3. Microsoft Security Blog: "Disrupting active exploitation of on-premises SharePoint vulnerabilities" - Link

Indicators of Compromise (IOCs)

Primary Attribution Indicators

Tox ID

3DCE1C43491FC92EA7010322040B254FDD2731001C2DDC2B9E819F0C946BDC3CD251FA3B694A

Email Addresses

  • ziqbwnscvbsj@proton.me
  • asdcspocnsdke@proton.me
  • tfefwapyasd3@proton[.]me

Infrastructure Indicators

Command & Control Domains

  • update.updatemicfosoft[.]com
  • microsfot[.]org

File Hashes

MSI Packages

3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550
(bbb.msi – LockBit 3.0-only deployment)
f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3 (
Multi-ransomware MSI package)

Warlock/AK47 Ransomware Samples

4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f (
writenull prototype - April 7, 2025)
79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73
(encrypt experimental - April 13, 2025)
55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17
(mpclient.dll - experimental version)
7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d
(7z.dll - MSI packaged)
abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1
(7z.dll - standalone)

LockBit 3.0 Samples

0ce370160edde92094fe98eedc7d35d6f692c87613816f2dca601355f3ba6e90
(coordinated testing - April 11, 2025)
dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de
(clink_dll_x86.dll)
f06fe1c3e882092a23002bed3e170da7b64e6b4475acdedea1433a874b10afdf
(clink_dll_x86.dll - variant)
122257f95eb65610ee5bb0f86b4617a1273ddf35420492d202b1fb6509e5bad8
(Embedded LockBit 3.0 payload)

Supporting Tools

1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192
(dnsclient.exe - AK47C2 backdoor)
aca888bbb300f75d69dd56bc22f87d0ed4e0f6b8ed5421ef26fc3523980b64ad
(VMToolsEng.exe - AV termination tool)
011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb
(clink_x86.exe - legitimate binary for DLL sideloading)

PDB Paths

C:\Users\Administrator\Desktop\work\tools\ai\ak47\writenull\x64\Release\writenull.pdb C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\encrypt\encrypt\x64\Release\encrypt.pdb C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\encrypt-dll\encrypt\x64\Release\encrypt.pdb C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\7zdllhijacked\7zdllhijacked\x64\Release\My7zdllhijacked.pdb C:\Users\Administrator\Desktop\work\tools\ak47c2\dnsclinet-c\dnsclient\x64\Release\dnsclient.pdb C:\Users\Administrator\Desktop\work\tools\ak47c2\httpclient-cpp\x64\Release\httpclient-cpp.pdb

File Extensions

  • .x2anylock (Warlock/AK47 ransomware)
  • .babyk (Babuk ransomware variant)
  • Standard LockBit extensions (LockBit 3.0 samples)

Ransom Note Names

  • How to decrypt my data.txt
  • How to decrypt my data.log

Appendix: Timeline of Encryption Evolution

Development Phases in Warlock Ransomware

Phase 1: Proof-of-Concept (7 April 2025)

  • Sample: 4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f
  • PDB Path: C:\Users\Administrator\Desktop\work\tools\ai\ak47\writenull\x64\Release\writenull.pdb
  • Functionality: Directory traversal and ransom note deployment only
  • Encryption: None implemented
  • Expiration: No expiration mechanisms
  • Analysis: Pure prototype demonstrating contact infrastructure and file system interaction without destructive capabilities

Phase 1.5: Coordinated LockBit 3.0 Testing (11 April 2025)

  • Sample: 0ce370160edde92094fe98eedc7d35d6f692c87613816f2dca601355f3ba6e90 (LockBit 3.0)
  • Functionality: Full LockBit 3.0 ransomware deployment
  • Analysis: Proves simultaneous testing of both Warlock prototype and LockBit 3.0 using the same victim session identifier - demonstrating coordinated dual-family strategy from the earliest development phase

Phase 2: Experimental Versions with Encryption (April 13, 2025)

  • Sample: 79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73
  • PDB Path: C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\encrypt\encrypt\x64\Release\encrypt.pdb
  • Functionality: Full encryption capabilities with experimental expiration bypass
  • Expiration: Intentionally corrupted with *(_DWORD *)&SystemTime.wYear = 264169; SystemTime.wDay = 10
  • Analysis: Shows evolution from writenull prototype to encrypt implementation while maintaining disabled expiration for testing

Phase 3: Production Development (April 15-17, 2025)

  • Evolution to full encryption capabilities with "encrypt" naming convention in PDB paths
  • Professional MSI packaging with DLL sideloading
  • Multi-ransomware deployment strategies

Phase 4: Multi-Builder Operations (July 2025-Present)

  • Integration of Babuk and continued LockBit 3.0 deployment
  • Sophisticated timestamp manipulation across all samples
  • Professional RaaS operations with global reach

The Ransomware-as-a-Service (RaaS) Economy

The rise of Ransomware as a Service (RaaS) gangs mimics the more conventional Software as a Service business model in every meaningful measure. The ransomware economy involves multiple players who specialize in various aspects of the larger ransomware attack. These elements include:

Initial Access Brokers

Initial Access Brokers (IABs) are highly skilled specialists who are exceptionally good at penetrating and establishing a foothold within secure networks. IABs often sell access to these compromised networks to other threat actors, including ransomware affiliates. The deeper an IAB can penetrate a network, the more valuable their services become. Purchasing credentials and access is surprisingly easy and relatively inexpensive.

RaaS Platform Providers

Ransomware-as-a-Service (RaaS) operators provide the software platform and backend to launch attacks. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates, and more all for a slice of the profits.

RaaS Affiliates

The actual ransomware attack is managed and executed by an affiliate; a person or group who plans and carries out the attack campaign. They obtain access via an IAB (or create their own), use a platform or toolkit from a RaaS operator, execute the attack, and then move the ransom dollars around to stay below the radar.

Command and Control Providers (C2Ps)*

C2Ps are legitimate ISPs who lease the attack infrastructure to threat actors while turning a blind eye to abuse by hiding behind privacy policies. *These "C2Ps" are a net new facet within the RaaS Economy and were discovered and reported on in the, Cloudzy with a Chance of Ransomware, by Halcyon Research.

The overall maturity, level of organization, and specialization within the ransomware economy means we are dealing with an adversary whose tactics, techniques, and procedures (TTPs) are approaching the sophistication of some nation-state-sponsored attackers.  In many cases, there has been documented overlap between nation-state attack elements and those of cybercriminal ransomware gangs. Today's ransomware attacks are more complex and difficult to defend against than ever before.

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Accept
Deny